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Abstract 

(TS//SI//REL) The goal of forward-based defense is to detect and mitigate malicious 
threats in real-time, as close to the source as possible. It is part of a layered defense 
strategy with four concentric zones: endpoint-, perimeter-, aggregation-, and forward- 
based defenses. The QUANTUMTHEORY mission leverages NSA's vast system of 
distributed passive sensors to detect target traffic and tip a centralized 
command/control node. This node assesses the tip and injects a response towards the 
target using active TAO assets. 

(TS//SI//REL) Extremely powerful CNE/CND/CNA network effects are enabled by 
integrating our passive and active systems: 

resetting connections 
redirecting targets for exploitation 
=* taking control of IRC bots 
" corrupting file uploads/downloads 
=• More! 

(TS//SI//REL) The success rate of these effects is largely determined by the latency 
from tip-to-target. OFIRE is a consolidated QUANTUMTHEORY platform under 
development that reduces latencies by co-locating (1) existing passive sensors with (2) 
local decision resolution, and (3) the ability to locally inject traffic to achieve the 
desired network effect. 



Topics 

Layered Defense Model 
=* NSA TURBULENCE Architecture 
=* TURMOIL passive SIGINT sensors 
^TURBINE active SIGINT command/control 
^ QUANTUMTHEORY 

^ Integrating passive/active systems for 
CNE/CND/CNA 
^ QFIRE 

^Consolidated low-latency QUANTUMTHEORY 
capability under development for forward-based 
defense 
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Forward-based Defense 
NSA TURBULENCE Architec 
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Distributed Sensors: Passive 



Accesses 




TURMOIL 




TUTELAGE 



| (S//SI//REL) High-speed passive collection 
systems intercept foreign target satellite, microwave, 
and cable communications as they transit the qlobe. 









TURBINE: Active Mission Management 
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Implants (TAO) 



V (TS//SI//REL) TURBINE provides 

centralized automated command/control 
of a large network of active implants 






QUANTUMTHEORY 



=> (TS//SI//REL) Extremely powerful CNE/CND/CNA network 
effects are enabled by integrating our passive and active systems: 

* Resetting connections (QUANTUMSKY) 

=» Redirecting targets for exploitation (QUANTUMINSERT) 

- Taking control of IRC bots (QUANTUMBOT) 

* Corrupting file uploads/downloads (QUANTUMCOPPER) 

(TS//SI//REL) QUANTUMTHEORY dynamically injects packets into a 
target's network session to achieve CNE/CND/CNA network effects. 

=* Dete ct: TURMOIL passive sensors detect target traffic & tip TURBINE command/control. 
=- Decide : TURBINE mission logic constructs response & forwards to TAO node. 

** Inject : TAO node injects response onto Internet towards target. 

(TS//SI//REL) The propagation delay from tip-to-target determines the 
success rate of the network effect. Less Latency = More Success! 



QFIRE: Consolidate for 



IffQ^IYEikiit^tltt QC-^a 



5-Jcl anti c/Pacific latency 
QUANTUMTHEORY Path: site ° NSAW-TURBINE ° target 



(TS//SI//REL) QFIRE collocates at site: sensor, decision logic, and 
local/regional injection capability to achieve low latency. 

" Use existing SIGINT sensors for alerting 
" Local decision resolution (local TURBINE) 

" Local/regional injection capability 
^ QFIRE Path: site ° target 

(TS//SI//REL) A low latency capability substantially increases the 
variety of achievable CNE/CND/CNA network effects and improves 
their overall effectiveness. 



QFIRE/Forward-Based 

Defense: 

EfM&B e n c i es 

^ Conduct time trials & evaluate operational effectiveness 
^ Develop/deploy QFIRE for high-speed SSO cable site(s) 

^ Dependencies 

^ Grow regional shooter infrastructure (more Points-of-Presence) 

^ Develop local/regional insertion capability at SSO cable accesses 

^ Enhance cloud analytics and QUANTUM missions 
^ Botnet mitigation pilot effort 



QFIRE Components @ 




QFIRE @ SCS: 
Physical/Virtual 
Network 
Architecture 
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HTTP Web Client/Server 



=> Client initiates request, then server replies 
=> TCP socket: 

- Client: TCP SYN 

- Server: TCP SYN/ACK 

HTTP 1.1 Persistent Connection 
-Client: HTTP GET1 

- Server: HTTP Responsel 

-Client: HTTP GET2 

- Server: HTTP Response2 



QUANTUM INSERT: racing 
te&erver 

= Wait for client to initiate new connection 

- Observe server-to-client TCP SYN/ACK 
-Shoot! (HTTP Payload) 

- Hope to beat server-to-client HTTP Response 
=* The Challenge: 

-Can only win the race on some links/targets 

- For many links/targets: too slow to win the race! 



QUANTUM INSERT: racing 
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on server-to-client TCP 
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QUANTUMTHEORY 
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TURMOIL Layer 3+Passive Sensor/ Event Detection 
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ISLANDTRANSPORT: Enterprise Message Service 
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TURBINE: Gommand/ Gontrol Decision Logic 
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TAO injection implant 
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♦Timing Measurements, QUANTUMTHEORY Workshop, October 2010 



